Cybersecurity Insurance

Cybersecurity insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage. A robust cybersecurity insurance market could help reduce the number of successful cyber attacks by: (1) promoting the adoption of preventative measures in return for more coverage; and (2) encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection. Many companies forego available policies, however, citing as rationales the perceived high cost of those policies, confusion about what they cover, and uncertainty that their organizations will suffer a cyber attack. In recent years, the Department of Homeland Security National Protection and Programs Directorate (NPPD) has engaged key stakeholders to address this emerging cyber risk area.

Cyber Risk Management and Cybersecurity Insurance

Traditional commercial general liability and property insurance policies typically exclude cyber risks from their terms, leading to the emergence of cybersecurity insurance as a “stand alone” line of coverage. That coverage provides protection against a wide range of cyber incident losses that businesses may suffer directly or cause to others, including costs arising from data destruction and/or theft, extortion demands, hacking, denial of service attacks, crisis management activity related to data breaches, and legal claims for defamation, fraud, and privacy violations. Few cybersecurity insurance policies, however, provide businesses with coverage for an area of growing private and public concern: the physical damage and bodily harm that could result from a successful cyber attack against critical infrastructure.

Since 2012, NPPD has engaged academia, infrastructure owners and operators, insurers, chief information security officers (CISOs), risk managers, and others to find ways to expand the cybersecurity insurance market’s ability to address this emerging cyber risk area. More broadly, NPPD has sought input from these same stakeholders on the market’s potential to encourage businesses to improve their cybersecurity in return for more coverage at more affordable rates. NPPD is currently facilitating dialogue with CISOs, Chief Security Officers (CSOs), and insurers about how a cyber incident data repository could foster both the identification of emerging cybersecurity best practices across sectors and the development of new cybersecurity insurance policies that “reward” businesses for adopting and enforcing those best practices.

DHS Cybersecurity Insurance Working Sessions

From 2012 through 2014, DHS hosted four separate working sessions where cybersecurity professionals examined the existing cybersecurity insurance marketplace, described obstacles to expanding and improving it, and identified three key ideas for overcoming the most pervasive of those obstacles:

Cyber incident consequence analytics. The development of new cyber risk scenarios, models, and simulations – based on repository data – could help promote understanding about how a cyber attack might cascade across infrastructure sectors and where opportunities for risk mitigations might exist.

Enterprise Risk Management (ERM). An accepted approach for fusing cyber risk into traditional ERM programs could help organizations of all sizes better prioritize and manage their top business risks.

Additional information about the working sessions, including Readout Reports summarizing session discussions and findings, can be found on the Insurance Industry Readout Reports webpage.

Benefits of a Cyber Incident Data Repository

Following the working sessions and based on the recommendations of the participants, NPPD continues to explore the benefits and feasibility of a cyber incident data repository that creates a trusted environment for enterprise risk owners to anonymously share sensitive cyber incident data. Conceptually, that data, once aggregated and analyzed, will result in increased awareness about current cyber risk conditions and longer-term cyber risk trends. New analytics products, rooted in rich repository data, in turn will help inform more effective cyber risk management investments by both private and public sector organizations as well as better cybersecurity insurance products. As the culmination of this conceptual effort, NPPD will aim to find answers to three key questions:

Are owners and operators of existing repositories open to leveraging external cyber incident data and analysis knowledge and incorporating it into their existing structures?

If not, should a new cyber incident data repository be developed?

Cyber Incident Data and Analysis Working Group

As a follow-on to the working sessions, NPPD established a Cyber Incident Data and Analysis Working Group (CIDAWG), comprised of CISOs and CSOs from various critical infrastructure sectors, insurers, and other cybersecurity professionals, to deliberate and develop key findings and conclusions about:

The value proposition of a cyber incident data repository;

The cyber incident data points that should be shared into a repository to support needed analysis;

Methods to incentivize such sharing on a voluntary basis; and

A potential repository’s structure and functions.

The Value Proposition. Details how a cyber incident data repository could help advance the cause of cyber risk management and, with the right repository data, the kinds of analysis that would be useful to CISOs, CSOs, insurers, and other cybersecurity professionals.

On April 19-20, 2016, the National Protection and Programs Directorate (NPPD) hosted a workshop to discuss the value and the feasibility of a cyber incident data and analysis repository. The workshop built on the work the CIDAWG has accomplished thus far and focused on the execution of the repository. For more details on the event and workshop materials go to: https://www.dhs.gov/event/cidar-workshop.

On March 28, 2016, the National Protection and Programs Directorate (NPPD) published a Federal Register Notice (FRN), which sought comments on the benefits and feasibility of a cyber incident data and analysis repository (CIDAR) and requested feedback on three white papers the Cyber Incident Data and Analysis Working Group (CIDAWG) developed from February through December, 2015:

The value proposition of a CIDAR;

The cyber incident data points that should be shared into a repository to support needed analysis; and